Fix drift check

ansible/playbooks/drift-check.yml

@@ -3,86 +3,82 @@
   hosts: rsyslog_servers
   gather_facts: false
 
-  vars:
+  # NOTE: src paths below resolve relative to the Ansible controller (the
-    drift_detected: false
+  # Woodpecker CI container), so they always reflect the latest Git commit –
+  # NOT the server's local clone, which may be stale.
 
   tasks:
+    # -------------------------------------------------------------------------
+    # Use Ansible copy in check_mode so it compares controller files (Git)
+    # against live server files without actually writing anything.
+    # changed=true  → file differs → drift
+    # changed=false → files match  → synced
+    # -------------------------------------------------------------------------
     - name: Check main rsyslog.conf
-      block:
+      ansible.builtin.copy:
-        - name: Compare main configuration file
+        src: "{{ playbook_dir }}/../../files/rsyslog.conf"
-          command: diff {{ repo_root }}/files/rsyslog.conf {{ rsyslog_main_config }}
+        dest: "{{ rsyslog_main_config }}"
-          register: main_diff
+        owner: root
-          changed_when: false
+        group: root
-          failed_when: false
+        mode: '0644'
+      check_mode: true
+      diff: true
+      register: main_config_check
 
-        - name: Fail if main config has drift
+    - name: Check rsyslog.d config files
-          fail:
+      ansible.builtin.copy:
-            msg: "Main rsyslog.conf has drifted from Git. ({{ main_diff.stdout | default('no diff output') }})"
+        src: "{{ playbook_dir }}/../../files/rsyslog.d/"
-          when: main_diff.rc != 0
+        dest: "{{ rsyslog_config_dir }}/"
-          ignore_errors: true
+        owner: root
-          register: main_drift
+        group: root
+        mode: '0644'
+      check_mode: true
+      diff: true
+      register: rsyslogd_check
 
-        - name: Set drift flag for main config
+    - name: Check for extra files on server not present in Git
-          set_fact:
-            drift_detected: true
-          when: main_diff.rc != 0
-
-    - name: Check rsyslog.d directory
-      block:
-        - name: Find config files in repository
-          find:
-            paths: "{{ repo_root }}/files/rsyslog.d"
-            patterns: "*.conf"
-          register: repo_configs
-
-        - name: Compare each config file
-          command: diff {{ item.path }} {{ rsyslog_config_dir }}/{{ item.path | basename }}
-          register: file_diffs
-          changed_when: false
-          failed_when: false
-          loop: "{{ repo_configs.files }}"
-
-        - name: Set drift flag if any file differs
-          set_fact:
-            drift_detected: true
-          when: item.rc != 0
-          loop: "{{ file_diffs.results }}"
-
-    - name: Check for extra files on server
       block:
         - name: Find config files on server
-          find:
+          ansible.builtin.find:
             paths: "{{ rsyslog_config_dir }}"
             patterns: "*.conf"
           register: server_configs
 
-        - name: Check for files in server but not in repo
+        - name: Find config files in Git (controller)
-          set_fact:
+          ansible.builtin.find:
-            drift_detected: true
+            paths: "{{ playbook_dir }}/../../files/rsyslog.d"
-          when:
+            patterns: "*.conf"
-            - (server_configs.files | length) > (repo_configs.files | length)
+          delegate_to: localhost
+          register: repo_configs
 
-    - name: Report status
+        - name: Flag extra files on server
-      block:
+          ansible.builtin.set_fact:
-        - name: Print SYNCED status
+            extra_files_on_server: true
-          debug:
+          when: (server_configs.files | length) > (repo_configs.files | length)
-            msg: |
-              ╭─────────────────────────────╮
-              │  ✓ SYNCED                   │
-              │  Configuration is up-to-date │
-              ╰─────────────────────────────╯
-          when: not drift_detected
 
-        - name: Print OUT OF SYNC status
+    - name: Set overall drift flag
-          debug:
+      ansible.builtin.set_fact:
-            msg: |
+        drift_detected: "{{ main_config_check.changed or rsyslogd_check.changed or (extra_files_on_server | default(false)) }}"
-              ╭─────────────────────────────╮
-              │  ✗ OUT OF SYNC              │
-              │  Configuration has drifted   │
-              ╰─────────────────────────────╯
-          when: drift_detected
 
-        - name: Fail if drift detected
+    - name: Print SYNCED status
-          fail:
+      ansible.builtin.debug:
-            msg: "Configuration drift detected. Live system does not match repository."
+        msg: |
-          when: drift_detected
+          ╭─────────────────────────────╮
+          │  ✓ SYNCED                   │
+          │  Configuration is up-to-date │
+          ╰─────────────────────────────╯
+      when: not drift_detected
+
+    - name: Print OUT OF SYNC status
+      ansible.builtin.debug:
+        msg: |
+          ╭─────────────────────────────╮
+          │  ✗ OUT OF SYNC              │
+          │  Configuration has drifted   │
+          ╰─────────────────────────────╯
+      when: drift_detected
+
+    - name: Fail if drift detected
+      ansible.builtin.fail:
+        msg: "Configuration drift detected. Live system does not match repository."
+      when: drift_detected